If You're Using Windows Remote Desktop You Need To Read This

toggle-button

One of the most useful features built into Windows (but not sadly in the home versions) is Remote Desktop.  Not to be confused with Remote Assistance, Remote Desktop lets you log into your PC via the internet from wherever you happen to be.  It also works on your local LAN, of course, which is useful if you need to access another PC in the house or office without physically sitting at it.

Enabling Remote Desktop takes a single click and is easy to do.  Though you'll also need to change the firewall settings on your router to allow incoming connections to port 3389, which is the way that RD communicates with the outside world.

It comes as no surprise to learn that hackers are now exploiting remote desktop connections.  They have developed automated systems that scour the internet for remote desktop connections and then try to brute-force a login by trying thousands of common combinations of username and password.  Once they gain access, they install a web server on the hacked machine in order to host malware and viruses. They then send out millions of spam messages in an attempt to trick people into visiting your compromised computer.

The advantage to hosting their malware on your PC, rather than on a commercial hosting account, is that the infection is much less likely to be detected, and therefore unlikely to be shut down.

If you use Remote Desktop Connection on your computer in order to allow remote access over the internet, you need to do 2 things.  Firstly, ensure that your username and password are not easy to guess.  Secondly, go to the Local Security Policy on your computer and set a password threshold and a password lockout.  Values of 5 passwords and a 30 minute lockout are sensible options.  This means that, if anyone does try to guess your remote desktop credentials, they'll be locked out for 30 minutes after each 5 incorrect guesses.

As will you, of course, so make sure you set up multiple accounts!

 

 

 

Please rate this article: 

Your rating: None
4.466665
Average: 4.5 (15 votes)
toggle-button

Comments

I use Remmina on Linux to RDP into Windows or Linux PCs.

rob.schifreen states: One of the most useful features built into Windows (but not sadly in the home versions) is Remote Desktop.

To which I say HOORAY. Just one less thing we have to worry about.

Even easier: use something like Teamviewer or Remote Utilities--both free--instead. RD might seem primitive by comparison.

It depends what you want to do. I personally spend around 20 hours a week using Remote Desktop, and have just spent the past 9 hours using it today, to build and configure 5 separate servers from scratch. It does everything I need to do, without requiring any additional software be installed. It's even better when used with a free RDC Manager, such as the one from Microsoft at http://www.microsoft.com/en-us/download/details.aspx?id=21101 Primitive is good sometimes. :)

While Remote Desktop has been around forever, its still one of the best features Windows has to offer. As an IT guy/Developer, I'm not sure how anyone that manages computers/servers could live without it!! :)

SyDiko, THANK YOU!

No problem at all. :)

I'd like to shine some additional light on this topic, because technically any publicly facing computers can suffer from brute-force attacks regardless of the port. And, what I mean by, 'publicly facing' is a computer that can be accessed from the internet or outside of your network.

If you are worried about a brute-force attack on your publicly facing machine then you may want to also look into:

Changing the port of the RDP protocol
- As stated in the article, 3389 is the default RDP port, but this can be changed...GOOGLE IT!

Change the Name of your Administrator account
- Either change the name or disable the account altogether.

Set Complex passwords (10+ combination of upper, lower, and special characters) on your admin account(s)
- Shouldn't have to explain this, but complexity negates brute-force by sheer time constraints. For example, lets say you use the word password, as a password. It's already 8 characters in length, and now lets add some complexity following the above algorithm. I changed password to "p@$sw0rD* and now you have a pretty beefy 10-character password that would take any brute-force attempt something like 500 years to complete. Yeah, I don't think a hacker has the patience to wait that long, but you get my point! :)

Setting up a Home VPN
- Not to be confused with anonymous web surfing services. With a VPN, you wont need your RDP box publicly facing, therefore you are safe from brute-force attacks. However, any computer that you want to use to access your Remote PC will need to be connected to your VPN. If you forget to disconnect or anything like that, you will be subject to attack by your own negligence.

IP/MAC Filtering
- At your router level, only allow access to certain IP and/or mac addresses.

There a few more avenues for additional layers of security, but the above are the easiest to setup.

Thanks SyDiko, that's helpful. However, changing the port won't fool a determined hacker - there are plenty of free tools that will look for RDP services on whatever port they happen to be on. You should certainly change the name of the default administrator account although, from Windows 7 onwards, that account is disabled by default anyway, so no attacker will be able to use it unless you explicitly enable it.

No problem! :)

and yeah, my solutions are hoping that you have an impatient hacker that couldn't be bothered with such trickery.

..."and now you have a pretty beefy 10-character password that would take any brute-force attempt something like 500 years to complete."

This needs a caveat... while it "could" take 500 years to complete it "could" also fluke it on the very first combination attempted. People seem to forget that.

Brute force attacks brings up a combination, then tries it, if unsuccessful, brings up another combination and so on.

Generally though, brute force attacks start with the usual suspects, you know them, password, 12345, notmypassword, abcdefg etc.

Probability is your friend in that sense, and I'm willing to be the odds of that happening are slim to none. What I mean is that most brute-force attacks will use algorithms that sort through lists containing thousands of passwords. You may also have algorithms that try every combination of letter, number, and special characters until it succeeds. Either way, as long as the password isn't common and its greater than 10 alphanumeric + special characters, you should be fine.

Let me also say this, no method is hack proof. However, one can apply deterrents that target patience and hopefully that'll be enough to stop any attack. This is the goal of my little write up. :)